Vulnerability in Nx (build system) Package Could Allow for Sensitive Data Exfiltration

A vulnerability has been discovered in Nx (build system) Package, which could allow for sensitive data exfiltration. Nx is a smart, fast, and extensible build system designed for managing monorepos efficiently by providing features like dependency graph analysis, computation caching, distributed task execution, and codebase upgrades. Successful exploitation of this vulnerability could allow threat actors to perform network reconnaissance and leak sensitive data.
Threat Intelligence
According to StepSecurity: Threat Actors have successfully injected malicious code into the Nx build system package and several related plugins to collect host information, cryptocurrency wallets, and development credentials.
Systems Affected
nx/devkit 21.5.0, 20.9.0
nx/enterprise 3.2.0
nx/eslint 21.5.0
nx/js 21.5.0, 20.9.0
nx/key 3.2.0
nx/node 21.5.0, 20.9.0
nx/workspace 21.5.0, 20.9.0
Risk
Government:
– Large and medium government entities: High
– Small government entities: Medium
Businesses:
– Large and medium business entities: High
– Small business entities: Medium
Home Users: Low
Recommendations
Review Stepsecurity.io immediate remediation steps. Apply appropriate updates provided by Nx or other vendors which use this software to vulnerable systems immediately after appropriate testing. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them.
Reference
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10894